The Marriott breach offers four takeaways that can be useful to both senior managers and regulators: 1) cyber risk disclosure continues to be inadequate; 2) special events such as mergers and associated cost cutting can trigger cyber breaches; 3) systemic cyber risk in the system is building; and 4) boards continue to be unprepared or unqualified to deal with cyber risk.

The only way to make companies take cyber risk seriously is to impose tough disclosure requirements and actively enforce those rules.